Compliance Essentials News - April 2020
This month's round-up of key compliance news includes GDPR reprieves, Marriott data breach, financial crime survey, the FCA & coronavirus, Goldman Sachs praise and more...
Our pick of the most informative compliance news this month
- BA and Marriott get reprieve from ICO
- New Marriott breach affects 5.2m guests
- Regulation in the new normal
- Europe tops financial crime compliance spend
- Insider trading case on brink of collapse over privacy concerns
- Hooray for Goldman Sachs's compliance team!
- HSBC admits AML breaches
- Aerospace engineer awarded £175 k in discrimination case
BA and Marriott get reprieve from ICO
With headlines dominated by coronavirus, maybe it's a good time to bury bad news?
British Airways and Marriott International have been granted a reprieve by the Information Commissioner's Office. You may recall, in July last year, the regulator announced its intention to hand record GDPR fines of £183m and £99m to the pair.
"The ICO initially had six months from issuing the Notice of Intent to British Airways within which it could issue a penalty notice, which has been extended through to May 18, 2020, to allow the ICO to fully consider the representations and information provided by British Airways."
With both firms in sectors that have been hit hard by the coronavirus pandemic, it's possible this was weighing heavy on the regulator. Experts predict the regulator will now seek a fine similar to the one imposed on Facebook.
Yet, it seems unduly lenient with news of Marriott's second data breach. Surely leniency only leads to more non-compliance? *Sigh*
New Marriott breach affects 5.2m guests
Marriott International has reported a second data breach which has exposed the personal information of around 5.2 million guests.
In a statement, it said:
"At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests."
The incident was reported on 31 March. Marriott appeared to play it down, explaining that the impact would not be materially significant due to its cyber insurance policy. (Savvy learners will immediately recognise the 4T model there, with the risk being transferred to an insurance company.)
However, security experts were noticeably less confident, pointing out that NSA, CIA, and FBI intelligence officials, as well as diplomats, frequent Marriott hotels. This is the latest in a series of breaches targeting US officials.
Casey Ellis of Bugcrowd said, "This attack emphasizes the need for the hospitality industry to take security seriously. Hotels collect more private personal information than most enterprises (birthdays, passport numbers, email and mailing addresses, and phone numbers). Cybercriminals know what types of organizations collect troves of sensitive data, and given the amount of valuable information at hand, hospitality businesses can no longer afford to ignore their vulnerabilities."
Regulation in the new normal
Compliance experts are warning that the new guidance issued by the Financial Conduct Authority in response to the coronavirus pandemic could make retail financial firms more vulnerable to fraud and AML/CTF offences.
The FCA had suggested that digital substitutes of physical documents (eg scanned pdfs, "selfie" photos and videos) were acceptable means of checking identities and could be used alongside IP addresses, geolocation and mobile phone data to get around the current social distancing measures and travel restrictions.
But, experts warn that the relaxed measures will make companies more vulnerable to financial criminals and indeed, amounts to "bad advice" and a "money launderer's charter".
In response to the claim, an FCA spokesperson said:
"The letter is not intended to represent a relaxation of requirements or to suggest that taking one of the measures in isolation would be appropriate or sufficient verification."
This - and the ICO's stance on GDPR fines - leads us to ask:
- To what extent, if any, are you "pausing" compliance rules due to the coronavirus pandemic? - Is it ever appropriate or acceptable to do this when compliance rules are based on law? How are you continuing to meet your compliance obligations? What decisions are being made? What assessments or risk analyses are carried out beforehand?
- Where are you focusing most compliance effort? - What are the key vulnerabilities (eg remote working, phishing, etc) and how are you addressing them?
- How are you coordinating this compliance effort? - What extra measures or innovations are you implementing to keep compliance "top of mind" for your team, especially those working remotely? Consider virtual hangouts, coffee shops, compliance mentors, etc.
- Do you envisage any compliance "pauses" to quickly restore Business As Usual operations and expedite the recovery? If so, what plans are you making and how are you road-testing those plans?
Europe tops financial crime compliance spend
Financial firms spent a whopping $181 billion on financial crime compliance last year, according to a LexisNexis survey released in April 2020. Surprised?
More surprising still, is the revelation that European firms outspent their North American counterparts by three to four times.
Here are the main findings from a poll of 898 financial crime compliance decision-makers:
- In Europe, the annual cost of financial crime compliance was $137 billion
- The UK spends the most on financial crime compliance ($50bn), closely followed by Germany ($48bn), United States ($26bn), France ($21bn), Italy ($16bn) and Canada ($5bn)
- Generally, smaller companies had fewer AML costs
- European financial firms have bigger compliance teams than other regions (averaging 83 full-time staff)
- European financial firms took more time to conduct business account due diligence (47 hours) compared with firms in the United States (23 hours)
This survey certainly provides interesting insight into variations between jurisdictions. We've all heard the saying - if you thought compliance was expensive, try non-compliance! Someone should work out the correlation between what firms spend and penalties for non-compliance.
Insider trading case on brink of collapse over privacy concerns
A prominent insider-trading case is on the brink of collapse amid privacy concerns.
Eight people, including two bankers, are being investigated for insider dealing following the failed takeover of chemical company Airgas by Air Liquide, with traders Alexis Kuperfis and Lucien Selce alleged to have made over €12 million on the deal.
However, questions are now being asked about whether the evidence was obtained illegally, after a burner phone belonging to one of the trader's friends - used to pass confidential tips between bankers and traders - was tapped.
The court said France's regulator Autorité des Marchés Financiers (AMF) did not obtain proper authorisation to request the phone records of traders and has now referred the case to the European Union Court of Justice to see whether the blunder can be overlooked to salvage the case.
The stakes are high. If the AMF loses the case, then potentially another 40 cases of insider trading (which have netted suspects around €80m) could also be shelved. Uh-oh!
Hooray for Goldman Sachs's compliance team!
The blanket coverage of coronavirus makes us yearn for good news like never before. This month it comes courtesy of Goldman Sachs' compliance team who successfully saved the firm from being dragged into the bribery case of its former executive, Asante Berko.
The US Securities and Exchange Commission has charged Berko, a Goldman Sachs executive until his resignation in 2016, with FCPA anti-bribery violations. He is alleged to have helped AKSA Enerji - a Turkish energy company - win a power plant contract in Ghana by negotiating a contract to funnel payments via an intermediary to Ghanaian government officials. It paid $2.5m to start with and was worth up to $42 million over five years. Berko also received "secret compensation" of $2 million that was not disclosed to Goldman Sachs, using a personal email account to avoid detection by compliance, and was kept on as a consultant for the energy firm after leaving the bank.
The bank's compliance team was, however, singled out for praise by the SEC and is not being charged. Head of corporate communications Nicole Sharpe said, "Goldman Sachs fully cooperated with the SEC’s investigation" and confirmed that its compliance team took "appropriate steps to prevent the firm from participating in the transaction".
Goldman Sachs compliance team pulled out all the stops according to SEC documents:
- Learning about the intermediary during a due diligence review of Berco's emails
- Insisting on enhanced due diligence to assess the reputational risks of the project and address concerns
- Rigorously questioning executives at the energy company about the intermediary's role in the project until they refused to answer any further questions
After the woes of 2019 undoubtedly a remarkable turnaround!
It's a reminder of the vital but sometimes thankless job that compliance professionals do - often in difficult circumstances - to protect our firms from misconduct. We salute you all.
HSBC admits AML breaches
HSBC has reported itself to AUSTRAC - Australia's financial crime agency - for violations of anti-money laundering laws. While a spokesperson has declined to put a number on the suspected number of breaches, it's believed that the figure will be in the thousands. The bank's exposure to money laundering was revealed in its 2019 accounts.
Under Australian AML laws, banks breaching AML regulations face fines of up to $21 million for each offence. HSBC now has the onerous job of identifying specific transactions which have not been reported so far to the regulator. It has also implemented a program to bolster record keeping and report cross-border transactions.
HSBC is the latest bank to face sanctions by AUSTRAC for its involvement in dodgy transactions. Australia's second biggest bank, Westpac, has revealed it expects to take a $1.4 billion hit for its own money laundering scandal which led to the departure of its chief executive and chairman. Westpac's systems were used by paedophiles to pay for child abuse material without any red flags being raised.
The penalty is yet to be confirmed but widely expected to top the AUS$700m record fine handed to Commonwealth Bank to settle breaches in 2018.
- It's easier (and cheaper!) to be proactive and get compliance right from the start - by implementing effective compliance programs. With appropriate governance and oversight, you can avoid financial penalties and safeguard your reputation
- Make sure your team knows what the deadlines are for reporting large transactions - Commonwealth Bank was fined for late filing because it failed to report transactions within the required timeframe (10 business days)
- Scrutinise and rigorously test automated systems and algorithms - a single coding error was thought to be responsible for some 54,000 transactions not being reported by Commonwealth Bank. Are you confident of your own systems? Have algorithms been rigorously tested prior to roll-out? And are they reviewed again when changes are made? Have you implemented a change process or procedure?
- Conduct risk-based due diligence - as part of the onboarding process and at regular intervals to verify the identity of individuals, entities and recipients
- Immediately report any concerns, knowledge or suspicions - relating to money laundering, terrorist financing, and Politically Exposed Persons (PEPs) to our MLRO
Aerospace engineer awarded £175 k in discrimination case
Aerospace engineer Peter Allen has been awarded £175,000 for harassment and discrimination on the grounds of sexual orientation at work.
The Manchester Employment Tribunal upheld his claim of harassment and direct discrimination on the grounds of sexual orientation against Paradigm Precision, and also agreed he was victimised and faced detrimental treatment when he requested adoption leave. Allen had faced homophobic insults and was passed over for promotion after he enquired about adoption leave.
The tribunal awarded Allen £175,000 which included £24k for unfair dismissal, £26k for injury to feelings, £70k for loss of earnings and £18k for failing to follow ACAS Code of Practice on Disciplinary and Grievance Procedures.
- Don't tolerate unacceptable behaviour in your team or dismiss it as banter - be vigilant so you quickly identify policy breaches in verbal exchanges, emails, social media, etc
- Keep equality laws "top of mind" - by holding regular discussions with your team about what is and is not acceptable
- Train your team to be self-aware and call out unacceptable or offensive behaviour or language by others - empower your team to create psychological safety and a more respectful workplace for everyone
- Regularly check policies (e.g. adoption policies, etc) and be sure to audit key decisions (eg training, promotion, recruitment) - to ensure they do not inadvertently disadvantage anyone with protected characteristics
- Remember, it's not just a "nice to have" - research consistently shows that companies that value diversity are more productive and profitable
Looking for more compliance insights?
Why not subscribe to our Compliance Bulletin which delivers a round-up email of all of this month's best practices, expert opinions, industry insights, key trends in regulatory compliance training, digital learning, EdTech and RegTech news.
Skillcast has partnered with YouGov to conduct primary research into compliance issues, attitudes and risk perceptions in the UK workplace to produce a series of Insights Blogs.
We also have 50+ free compliance training aids, including a selection of desk-aids, eBooks, guides, handouts, posters, training presentations and even free e-learning modules!